I am using an Elasticsearch ingest pipeline in a Filebeat module, and I see the statement of: if: 'ctx.json?.userIdentity?.userName == null'
When json.userIdentity.userName is equal to null, what would the key/value pair look like when the if statement above would be true? {"json.userIdentity.userName":"null"}, {"json.userIdentity.userName":null}, or something else
In addition, is it fair to say that if the field doesnt exist, then the key is also equal to null?
Hello @msr1716
welcome to the community!
What version of Filebeat and module are you referring to?
I cannot find a ctx.json?.userIdentity?.userName == null, but rather a ctx.json?.userIdentity?.userName != null in the aws cloudtrail ingest pipeline.
- append:
field: related.user
value: '{{json.userIdentity.userName}}'
allow_duplicates: false
if: 'ctx.json?.userIdentity?.userName != null'
this processor will add the field related.user if json.userIdentity.userName is set and not null
if json.userIdentity.userName is not set or has a null value the processor will be not applied and the field related.user not set
This is an ingest pipeline on the Elasticsearch side
Regarding the last question, yes, you are right, if a field does not exist the value is null
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.